1. No category

Unateness, Symmetry and Self-Duality of Boolean Functions

KUIS{95{0009
Unateness, Symmetry and Self-Duality of
Boolean Functions Satisfying the Propagation
Criterion
HIROSE Shouichi
IKEDA Katsuo
Tel: +81 75 753 5387
Fax: +81 75 751 0482
E-mail: fhirose, [email protected]
May 29, 1995
Abstract
Nonlinearity is an important concept for the design of conventional cryptosystems. The propagation criterion(PC) is a nonlinearity criteria of Boolean functions. The aim of this paper is to
investigate the relationships between the PC and each one of the unateness, the symmetry and the
self-duality. The latter three properties are not desirable for the components of cryptosystems.
First, relationships are presented between the unateness and the degree of the PC. It is shown
that every Boolean function with four or more variables satisfying the PC of degree 1 is unate in at
most two of its variables and that every Boolean function with four or more variables satisfying the
PC of degree 2 is not unate in any one of its variables. These results show the incompatibility of the
PC and the unateness. Second, relationships between the PC and the symmetry are investigated.
It is shown that there exist symmetric functions satisfying the PC of maximum degree. Finally,
compatibility of the PC and the self-duality is discussed. For every odd n 3, the existence of
self-dual functions with n variables satisfying the PC of degree n 0 1 is shown, which has been
implicitly shown before in a few literatures. It is also shown that, for every n 2, The degree of
the PC of every self-dual function with n variables is at most n=2 0 1.
1 Introduction
Nonlinearity is an important concept for the design of conventional cryptosystems. Several nonlinearity criteria have been proposed as design principles of good conventional cryptosystems[Rue91].
The propagation criterion(PC)[PLLGV91], which is a generalized notion of the strict avalanche
criterion[WT86] and the perfect nonlinearity[MS90], is a nonlinearity criteria of Boolean functions.
In the study of Boolean functions, Boolean functions with some sort of properties, such as unateness, symmetry, self-duality, and so on, have been investigated. These properties are not desirable for
the components of cryptosystems. The aim of this paper is to investigate the relationships between
the PC and each one of the unateness, the symmetry and the self-duality.
First, relationships are presented between the unateness and the degree of the PC. It is shown
that every Boolean function with four or more variables satisfying the PC of degree 1 is unate in
at most two of its variables and that there exist Boolean functions with four or more variables that
satisfy the PC of degree 1 and that are unate in two of their variables. It is also shown that every
Boolean function with four or more variables satisfying the PC of degree 2 is not unate in any one of
its variables. These results show the incompatibility of the PC and the unateness.
Second, relationships between the PC and the symmetry are investigated. It is shown that there
exist symmetric functions satisfying the PC of maximum degree. These functions are also identied.
Finally, compatibility of the PC and the self-duality is discussed. For every odd n 3, the
existence of self-dual functions with n variables satisfying the PC of degree n 0 1 is shown and an
exact characterization of these functions is achieved. These results are shown implicitly in [SZZ93]
and [HI95b]. It is also shown that, for every n 2, The degree of the PC of every self-dual function
with n variables is at most n=2 0 1. The optimality of the result is also shown.
Section 2 gives basic concepts and discusses Boolean functions satisfying the PC. Relationships
between the PC and the unateness are discussed in Section 3. Section 4 is devoted to the symmetric Boolean functions satisfying the PC. The self-duality of Boolean functions satisfying the PC is
discussed in Section 5.
2 Preliminaries
2.1 Walsh transform and Boolean functions
Let R and N denote the set of reals and the set of integers, respectively.
Denition 1 The Walsh transform of a real-valued function f : f0; 1gn ! R is
(W(f ))(!) =
X
x2f0;1gn
f (x)(01)!1x ;
where x = (x1; : : : ; xn), ! = (!1; : : : ; !n) 2 f0; 1gn and ! 1 x = !1x1 8 1 1 1 8 !nxn.
For simplicity, (W(f ))(!) is often denoted by F (!). The inverse Walsh transform is
1
!1x
f (x) = (W01 (F ))(x) = n
2 !2f0;1gn F (!)(01) :
2
X
The Walsh transform can be represented in a matrix form[Rue91]. For f : f0; 1gn ! R, let f (i)
denote f (x1; : : : ; xn) when x1 + x22 + 1 1 1 + xn2n01 = i. Let [f ] = [f (0); f (1); : : : ; f (2n 0 1)] and
[F ] = [F (0); F (1); : : : ; F (2n 0 1)]. The Walsh transform is represented as
[F ] = [f ]Hn;
1
where Hn denotes the Hadamard matrix of order n. Hn is dened recursively by
H0 = [1];
Hn01 Hn01
:
Hn =
H
0H
#
"
n01
n01
Hn is a 2n 22n symmetric non-singular matrix, and its inverse is 20n Hn .
The inverse Walsh transform
is represented as
[f ] = 20n[F ]Hn:
A Boolean function is a function of the form f : f0; 1gn ! f0; 1g. Let Bn be the set of Boolean
functions.
The Walsh transform can be applied to Boolean functions when they are considered to be realvalued functions. For the analysis of Boolean functions, it is often convenient to work with f^ :
= (01)f (x) . The Walsh transform of f^ is
f0; 1gn ! f01; 1g, where f^(x) def
F^ (! ) =
f^(x)(01)!1x =
(01)f (x)8!1x:
X
x2f0;1gn
X
X F^ (!) = 2
x2f0;1gn
Proposition 1 For every f 2 Bn,
2
!2f0;1gn
2n
.
2
Denition 2 The autocorrelation function of a Boolean function f 2 Bn is Cf : f0; 1gn ! N such
that
Cf (z ) =
X
x2f0;1gn
f^(x)f^(x 8 z );
where x 8 z denotes (x1 8 z1; : : : ; xn 8 zn).
2
Proposition 2 shows a relationship between the autocorrelation function and the Walsh transform.
Proposition 2 For every f 2 Bn, Cf = W01(F^ 2).
2
2.2 The propagation criterion
For a set S, let jSj denote the number of elements in S. For f 2 Bn and c 2 f0; 1g, let f 01(c) =
fx j f (x) = cg.
Denition 3 A Boolean function f 2 Bn is balanced if and only if jf 01(c)j = 2n01 for every
c 2 f0; 1g.
2
For every f0; 1g-vector a, let W (a) be the Hamming weight of a, that is, the number of 1's in a.
Denition 4 f 2 Bn is said to satisfy the propagation criterion(PC) of degree k if and only if
f (x) 8 f (x 8 a) is balanced for every a 2 f0; 1gn such that 1 W (a) k . f is perfectly nonlinear if
and only if f satises the PC of degree n.
2
Let PCn(k) denote the set of Boolean functions in Bn satisfying the PC of degree k.
The condition of the above denition states that
Pr(f (x) 8 f (x 8 a) = c) = 1=2
for every a 2 f0; 1gn such that 1 W (a) k and every c 2 f0; 1g. This means that the value of f
changes with probability 1=2 if at most any k of input variables change. This sensitivity of the value
to the input variables is desirable for cryptographic transformations.
The following proposition directly follows from the denition of the autocorrelation function and
the PC.
2
Proposition 3 Let f 2 Bn.
satises the PC of degree k if and only if
a 2 f0; 1g such that 1 W (a) k .
n
f
C f (a)
= 0 for every
2
For perfectly nonlinear Boolean functions, the following proposition was proved[MS90].
Proposition 4 Let f 2 Bn. f 2 PCn(n) if and only if F^ (!) = 2n=2 for every ! 2 f0; 1gn.
2
Let Vn = f0; 1gn 0 f(0; : : : ; 0)g.
Denition 5 Let f 2 Bn and a 2 Vn. f is said to satisfy the PC with respect to a if f (x) 8 f (x 8 a)
is balanced.
2
2.3 Unateness, Symmetry, and Self-Duality
We begin by dening the unate functions[Koh78].
Denition 6 A Boolean function f (x1; : : : ; xn) 2 Bn is said to be positive(negative) in a variable
xi if and only if there exists a disjunctive expression of f in which xi appears only in uncomplemented(complemented) form. If f is positive(negative) in all of its variables, then f is simply said to
be positive(negative).
2
Denition 7 A Boolean function f (x1 ; : : : ; xn) 2 Bn is said to be unate in a variable xi if and only
if f is positive or negative in xi. If f is unate in all of its variables, then f is simply said to be unate.
2
For example, f (x1; x2; x3) = x1 x2 _ x2 x3 is unate in x1 and x3 and not unate in x2.
Proposition 5 Let f 2 Bn. f (x1; : : : ; xn) is positive in xi if and only if f jxi=0 f jxi=1.
Proposition 6 Let f 2 Bn. f (x1; : : : ; xn) is negative in xi if and only if f jxi=0 f jxi=1 .
2
2
Next, symmetry of Boolean functions is dened.
Denition 8 Let f 2 Bn. f is said to be symmetric if and only if (W (a) = W (b)) ) (f (a) = f (b))
for every a; b 2 f0; 1gn.
2
The value of symmetric Boolean functions is determined by the number of 1's in the input variables. Let Sn be the set of symmetric Boolean functions. For f 2 Sn, let f (w) denote the value of f
to the input variables containing w 1's. Let I f0; 1; : : : ; ng. SnI represents the symmetric function
f 2 Sn such that f (w) = 1 if and only if w 2 I.
Self-duality of Boolean functions is dened below.
Denition 9 Let f 2 Bn. f is said to be self-dual if and only if f (x1; : : : ; xn) = 18 f (18 x1; : : : ; 18
xn ).
2
Let Dn denote the set of self-dual f 2 Bn.
The following proposition is immediate from the denition of the self-duality and that of the
autocorrelation function.
Proposition 7 Let f 2 Bn. f 2 Dn if and only if Cf (1; : : : ; 1) = 02n.
3
2
x1 _ x2
x1 _ x2
x1 _ x2
x1 _ x2
x1 x2
x1 x2
x1 x2
x1 x2
Figure 1: Boolean functions in PC2(2)
x1 x2 _ x1 x3 _ x2 x3
x1 x2 _ x1 x3 _ x2 x3
x1 x2 _ x1 x3 _ x2 x3
x1 x2 _ x1 x3 _ x2 x3
x1 x2 _ x1 x3 _ x2 x3
x1 x2 _ x1 x3 _ x1 x2
x1 x2 _ x1 x3 _ x2 x3
x1 x2 _ x1 x3 _ x2 x3
x1 x2 _ x1 x3 _ x2 x3
x1 x2 _ x1 x3 _ x2 x3
x1 x2 _ x1 x3 _ x2 x3
x1 x2 _ x1 x3 _ x2 x3
x1 x2 x3 _ x1 x2 x3
x1 x2 x3 _ x1 x2 x3
x1 x2 x3 _ x1 x2 x3
x1 x2 x3 _ x1 x2 x3
Figure 2: Boolean functions in PC3(2)
3 Unateness
Figures 1 and 2 give all Boolean functions in PC2(2) and PC3(2), respectively. From these gures, it
is easily observed that both PC2(2) and PC3(2) contain unate functions.
Suppose that f (x1; : : : ; xn) 2 Bn is unate in xn . Then, for every (a1; : : : ; an01) 2 f0; 1gn01,
f (a1 ; : : : ; an01 ; 0) = 0 if f (a1 ; : : : ; an01 ; 1) = 0 or f (a1 ; : : : ; an01 ; 1) = 0 if f (a1 ; : : : ; an01 ; 0) = 0.
This regularity does not seem compatible with the PC. In the following, this conjecture is shown to
be correct for f 2 Bn when n 4. Before showing the results, several lemmas are presented.
Lemma 1 [HI95a] Let w, x, y, z and m be integers such that w x y z 0 and m 0. Let
w2 + x2 + y2 + z 2 = 2m.
Then,
for even m, w = x = y = z = 2(m02)=2, or w = 2m=2 and x = y = z = 0,
for odd m, w = x = 2(m01)=2 and y = z = 0.
2
Lemma 2 Let n 2 and f 2 PCn (1). Then, for every i such that 1 i n, f (x1; : : : ; xn) is
i
positive in xi if and only if F^ (0; : : : ; 0; 1; 0; : : : ; 0) = 2n01.
(Proof) Suppose that i = n. Since f 2 PCn(1), f (x1; : : : ; xn01 ; 0)8 f (x1; : : : ; xn01; 1) is balanced,that
is, jfhxin01 j f jxn=0 6= f jxn =1gj = 2n02 . Thus,
f^(x)(01)xn
F^ (0; : : : ; 0; 1) =
X
=
=
=
X
x2f0;1gn
(f^jxn=0 0 f^jxn=1 )
hxin01 2f0;1gn01
2jfhxin01 j f jxn =0 = 0; f jxn =1 = 1gj 0 2jfhxin01 j f jxn =0
2n01 0 4jfhxin01 j f jxn =0 = 1; f jxn =1 = 0gj:
4
= 1; f jxn =1 = 0gj
Hence, F^ (0; : : : ; 0; 1) = 2n01 if and only if f (x) is positive in xn. The same argument can be applied
to the case where 1 i n 0 1.
2
The following lemma can be proved in the same way as Lemma 2.
Lemma 3 Let n 2 and f 2 PCn (1). Then, for every i such that 1 i n, f (x1; : : : ; xn) is
i
negative in xi if and only if F^ (0; : : : ; 0; 1; 0; : : : ; 0) = 02n01.
2
From Lemmas 2 and 3, if f (x1; : : : ; xn) 2 PCn(1) is unate in xi, then
i
1
^2
F^ 2 (0; 1 1 1 ; 0; 1; 0; : : : ; 0) = 22n02 =
4 !2f0;1gn F (!):
X
From this fact, it is immediately derived that every Boolean function satisfying the PC of degree 1 is
unate in at most 4 of its variables. A more strict result is given in the following.
Lemma 4 Let f 2 Bn. Then, f 2 PCn(k) if and only if
X F^ (!) = X F^ (!) = 2
2
2
a1!=0
2n01
a1!=1
n
for every a 2 f0; 1g such that 1 W (a) k.
X
X
X
(Proof) Since f 2 Bn, f 2 PCn(k) if and only if, for every a 2 f0; 1gn such that 1 W (a) k,
1
a1!
^2
^2
^2
Cf (a) = n
2 !2f0;1gn F (!)(01) = 0. Thus, a1!=0 F (!) = a1!=1 F (!). The lemma holds because
F^ 2 (! ) = 22n for every f 2 Bn .
2
X
!2f0;1gn
Theorem 1 Let n 4. If f 2 PCn(1), then f is unate at most two of its variables.
(Proof) Without loss of generality, it can be assumed that f (x1; : : : ; xn) 2 PCn(1) is unate in x1, x2
and x3. Then, from Lemmas 2 and 3,
F^ 2 (1; 0; 0; 0; : : : ; 0) + F^ 2 (0; 1; 0; 0; : : : ; 0) + F^ 2 (0; 0; 1; 0; : : : ; 0)
= 22(n01) + 22(n01) + 22(n01)
= 22n01 + 22n02:
Since f (x1; : : : ; xn) 2 PCn(1), from Lemma 4,
F^ 2 (! ) = 22n01 , which causes a contradiction. 2
X
!4 =0
The optimality of the above result can also be proved. In the following, we present an exact
characterization of a Boolean function in PCn(1) that is unate in two of its variables.
Theorem 2 Let n 4 and f 2 PCn(1). f (x1; : : : ; xn) is unate in xi and xj if and only if f satises
one of the following two conditions:
F^ (k) = 0 if k 62 f2i01; 2j01; 2n 02i01 01; 2n 02j01 01g, and an odd number of F^ (2i01 ), F^ (2j01 ),
F^ (2n 0 2i01 0 1) and F^ (2n 0 2j 01 0 1) are equal to 2n01 and the others are equal to 02n01 .
F^ (k) = 0 if k 62 f2i01; 2j01; 2n 01; 2n 02i01 02j01 01g, and an odd number of F^ (2i01 ), F^ (2j01 ),
F^ (2n 0 1) and F^ (2n 0 2i01 0 2j 01 0 1) are equal to 2n01 and the others are equal to 02n01 .
5
(Proof) We prove the theorem only for the rst condition. It can be proved in the same way for the
second condition.
Suppose that f 2 PCn(1) is unate in x1 and x2. Then,
F^ 2 (1; 0; 0; : : : ; 0) + F^ 2 (0; 1; 0; : : : ; 0) = 22(n01) + 22(n01) = 22n01 :
Since F^ 2(!) = 22n01 for every i such that 3 i n,
X
8>< (1; 0; 0; : : : ; 0);
! 6= > (1; 0; 1; : : : ; 1);
: (0; 0; 1; : : : ; 1);
9>=
>;
!i =0
Let
Since
(0; 1; 0; : : : ; 0);
(0; 1; 1; : : : ; 1); ) F^ (!) = 0:
(1; 1; 1; : : : ; 1)
F^ (1; 0; 0; : : : ; 0) = F^1 ; F^ (0; 1; 0; : : : ; 0) = F^0 ;
F^ (1; 0; 1; : : : ; 1) = F^10; F^ (0; 1; 1; : : : ; 1) = F^01 ;
F^ (0; 0; 1; : : : ; 1) = F^00; F^ (1; 1; 1; : : : ; 1) = F^11 :
X F^ (!) = X F^ (!) = 2
2
2
!i =0
2n01
!i =1
for i = 1; 2,
2
F^00
+ F^012 = F^102 + F^112 = F^002 + F^102 = F^012 + F^112 = 22(n01) :
From Lemma 1, there are following two cases:
C-1. F^10 = F^01 = 2n01, F^00 = F^11 = 0,
C-2. F^ = F^ = 2 , F^ = F^ = 0.
For C-1,
h ilet b = (1; 0; 0; : : : ; 0), b = (0; 1; 0; : : : ; 0) b = (1; 0; 1; : : : ; 1), and b
Then, f^ can be represented as
hf^i = 1 hF^i H = 1 F^ h^l i + F^ h^l i + F^ h^l i + F^ h^l i :
00
11
1
n01
10
01
2
3
4
= (0; 1; 1; : : : ; 1).
n
0 b2
10 b3
01 b4
2n
2n 1 b1
Since b1 8 b2 8 b3 8 b4 = (0; : : : ; 0), for every x 2 f0; 1gn, an even number of ^lb1 (x), ^lb2 (x), ^lb3 (x) and
^lb4 (x) are equal to 1, and the others are equal to 01. Thus, an odd number of F^1, F^0 , F^10 and F^01
must be equal to 2n01 and the others must be equal to 02n01 since f 2 Bn.
Conversely, if an odd number of F^1, F^0, F^10 and F^01 are equal to 2n01 and the others are equal
to 02n01, then f 2 PCn(1) and f is unate in x1 and x2.
The same argument as the above one can be applicable to C-2.
2
Corollary 1 Let n 4. For every i, j such that 1 i < j n, there are 16 f (x1; : : : ; xn)'s in
PCn(1) that are unate in xi and xj .
2
The proof of Theorem 2 gives a method of construction for Boolean functions satisfying the PC
of degree 1 and are unate in two of their variables. This method can construct every such functions.
Example 1 Four Boolean functions are given that are in PC4(1) and that are positive in x1 and x2.
Let
hF^ i
hF^ i
0
1
= [0; 8; 8; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 08; 8; 0];
= [0; 8; 8; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 8; 08; 0]:
6
Then,
hf^ i = 1 hF^ i H = [1; 1; 01; 01; 1; 01; 1; 01; 1; 01; 1; 01; 1; 1; 01; 01];
2
hf^ i = 1 hF^ i H = [1; 01; 1; 01; 1; 1; 01; 01; 1; 1; 01; 01; 1; 01; 1; 01]:
0
4
0
4
1
24
1
4
Thus,
f0 (x1 ; x2 ; x3 ; x4 ) = x1 x3 x4 _ x1 x3 x4 _ x2 x3 x4 _ x2 x3 x4 = x1 (x3 8 x4 ) _ x2 (x3 8 x4 8 1);
f1 (x1 ; x2 ; x3 ; x4 ) = x1 x3 x4 _ x1 x3 x4 _ x2 x3 x4 _ x2 x3 x4 = x1 (x3 8 x4 8 1) _ x2 (x3 8 x4 ):
The other two functions can be constructed in the same way as the above. They are
g0 (x1 ; x2 ; x3 ; x4 ) = x1 x2 _ x1 x3 x4 _ x1 x3 x4 _ x2 x3 x4 _ x2 x3 x4 = x1 x2 _ (x1 _ x2 )(x3 8 x4 );
g1 (x1 ; x2 ; x3 ; x4 ) = x1 x2 _ x1 x3 x4 _ x1 x3 x4 _ x2 x3 x4 _ x2 x3 x4 = x1 x2 _ (x1 _ x2 )(x3 8 x4 8 1):
The truth tables of the above functions are presented in Figure 3.
2
The observation in Example 1 can be generalized to the following corollary of Theorem 2.
Corollary 2 Let n 4 and f 2 PCn(1). f (x1; : : : ; xn) is unate in xi and xj if and only if f can be
represented in one of the following formulas:
(c1 8 xi)Lfi;jg(x1; : : : ; xn) _ (c2 8 xj )(1 8 Lfi;jg(x1; : : : ; xn)),
(c1 8 xi)(1 8 Lfi;jg (x1; : : : ; xn)) _ (c2 8 xj )Lfi;j g(x1; : : : ; xn),
(c1 8 xi)(c2 8 xj ) _ ((c1 8 xi) _ (c2 8 xj ))Lfi;jg (x1; : : : ; xn),
(c1 8 xi)(c2 8 xj ) _ ((c1 8 xi) _ (c2 8 xj ))(1 8 Lfi;jg(x1; : : : ; xn)),
where Lfi;jg (x1; : : : ; xn) =
xk and c1 ; c2 2 f0; 1g.
M
2
k2f1;:::;ng0fi;j g
2.
The following theorem is on non-unateness of the Boolean functions satisfying the PC of degree
Theorem 3 Let n 4. If f 2 PCn(2), then f is not unate in any one of its variables.
X
X
(Proof) Suppose that f 2 PCn(2) is unate in x1 . Then, F^ 2(1; 0; : : : ; 0) = 22(n01). Let i, j be any
integers such that 2 i < j n. Since f 2 PCn(2), F^ 2(!) = 22n01,
F^ 2 (!) = 22n01 , and
!i =0
!j =0
^F 2(!) = 22n01. Thus,
X
X F^ (!) + X F^ (!) 0 2F^ (1; 0; : : : ; 0) 0 X
!i 8!j =1
2
!i =0
2
!j =0
2
!i 8!j =1
F^ 2 (! ) = 0:
From this equation, if F^ (!) 6= 0, then at most one of !2; : : : ; !n is 0 or ! = (1; 0; : : : ; 0).
If n = 4, then, for every f 2 PC4(2), f is perfectly nonlinear and F^ 2 (!) = 16 for every ! 2 f0; 1g4,
which is a contradiction.
7
x x
3 4
x x
3 4
00
x x
1 2
01
11
10
00
x x
1 2
00
01
11
10
00
01
1
11
1
01
1
1
10
1
1
f
1
11
1
1
10
1
1
1
1
1
1
f
0
x x
3 4
1
x x
3 4
00
x x
1 2
1
01
11
10
00
x x
1 2
00
01
11
10
00
01
1
11
1
1
10
1
g
1
1
01
1
1
11
1
1
10
1
1
1
1
1
g
0
1
1
Figure 3: Functions in PC4(1) and positive in x1 and x2
For n 5,
X
!i 8!j =1
F^ 2 (! )
j
i
= F^ 2(0; 1; : : : ; 1; 0; 1; : : : ; 1) + F^ 2(0; 1; : : : ; 1; 0; 1; : : : ; 1) +
j
i
F^ 2 (1; 1; : : : ; 1; 0; 1; : : : ; 1) + F^ 2 (1; 1; : : : ; 1; 0; 1; : : : ; 1)
= 22n01:
Thus, from Lemma 1, for every ! 2 f0; 1gn such that only one of !2; : : : ; !n is 0 and F^ (!) 6= 0,
F^ 2 (!) = 22n02 . For every ! 2 f0; 1gn such that only one of !2 ; : : : ; !n is 0, since
F^ 2 (! ) =
F^ 2 (! ) = 22n01 ;
X
X
!1 =0
!1 =1
F^ 2 (1; 0; : : : ; 0) = 22(n01) ;
8
at most three of F^ 2(!)'s are 22n02, while, since
F^ 2 (! ) =
F^ 2 (!) = 22n01 ;
X
X
!2 8!3 =1
!4 8!5 =1
at least four of F^ 2(!)'s are 22n02. This causes a contradiction. Thus, the theorem has been proved.
2
4 Symmetry
In this section, relationships between the symmetry and the PC are presented.
The following lemma shows a necessary condition for the Boolean functions satisfying the PC of
degree 2 to be symmetric.
Lemma 5 Let n 2. If f 2 PCn(2) \ Sn, thenf (w+2) = f (w) for every w such that 0 w n 0 2.
(Proof) Let p be 1 p n 0 1. Let bp = (bp1; : : : ; bpn) 2 f0; 1gn such that bpp = bpp+1 = 1 and bpi = 0 if
i 6= p; p + 1.
Since f 2 PCn(2), f (x) 8 f (x 8 bp) is balanced for every p such that 1 p n 0 1. Since f 2 Sn,
f jxp =0;xp+1 =1 f jxp =1;xp+1 =0
for every p such that 1 p n 0 1. Thus,
f jxp =0;xp+1 =0 8 f jxp =1;xp+1 =1 1
for every p such that 1 p n 0 1. Thus, f (w+2) = f (w) for every w such that 0 w n 0 2. 2
The following lemma shows that there exist symmetric functions satisfying the PC of maximum
degree.
Lemma 6 Let n 2 and f 2 Sn. If f (w+2) = f (w) for every w such that 0 w n 0 2, then
PCn(n)
for even n,
f2
PCn(n 0 1) for odd n.
(
(Proof) Let W (a) = r and I(a) = fi j ai = 1; 1 i ng. Let Rj = f4k + j j k = 0; 1; : : : ; b(n 0 j )=4cg
for j = 0; 1; 2; 3.
f is any one of SnR0 [R1 , SnR0 [R3 , SnR2 [R3 and SnR1 [R2 . Since SnR2 [R3 = SnR0 [R1 and SnR0 [R3 =
SnR1 [R2 , it is sucient to prove for SnR0 [R1 and SnR1 [R2 .
For the case where f = SnR0 [R1 :
(i) Suppose that r 0 (mod 4).
For every x 2 f0; 1gn such that jI(a) \ I (x)j = 2k for some k such that 0 k r=2,
jW (x) 0 W (x 8 a)j 0 (mod 4):
Thus, in this case, f (x) 8 f (x 8 a) = 0.
For every x 2 f0; 1gn such that jI(a) \ I (x)j = 2k + 1 for some k such that 0 k r=2 0 1,
jW (x) 0 W (x 8 a)j 2 (mod 4):
Thus, in this case, f (x) 8 f (x 8 a) = 1.
From the above discussion,
fx j f (x) 8 f (x 8 a) = 1g = fx j jI(a) \ I (x)j is oddg:
9
Hence,
jfx j f (x) 8 f (x 8 a) = 1gj = 2
n0r
X
r=201
k=0
C
r 2k+1
= 2n01:
(ii) Suppose that r 1 (mod 4).
For every x 2 f0; 1gn such that jI(a) \ I (x)j = 2k for some k such that 0 k (r 0 1)=2,
(mod 4) if r 0 2k 2k
jW (x) 0 W (x 8 a)j = 4r k004kr 31 (mod
4) if r 0 2k < 2k.
Thus, in this case, f (x) 8 f (x 8 a) = 1 if and only if W (x) is odd.
For every x 2 f0; 1gn such that jI(a) \ I (x)j = 2k + 1 for some k such that 0 k (r 0 1)=2,
r 0 (4k + 2) 3 (mod 4) if W (x 8 a) W (x)
jW (x) 0 W (x 8 a)j = (4
k + 2) 0 r 1 (mod 4) if W (x 8 a) < W (x).
Thus, in this case, f (x) 8 f (x 8 a) = 1 if and only if W (x) is even.
From the above discussion,
fx j f (x) 8 f (x 8 a) = 1g =
fx j jI(a) \ I (x)j is even and W (x) is oddg [ fx j jI(a) \ I (x)j is odd and W (x) is eveng:
Hence, unless n 1 (mod 4) and a = (1; : : : ; 1), then
r01
r01
b n02r01 c
b n02r01 c
2
2
jfx j f (x) 8 f (x 8 a) = 1gj =
r C2k
n0r C2j +1 +
r C2k+1
n0r C2j +1
(
(
X
X
X
X
k=0
n01 ;
j =0
k=0
j =0
= 2
and f (x) 8 f (x 8 a) is balanced. If n 1 (mod 4) and a = (1; : : : ; 1), then
fx j jI(a) \ I (x)j is even and W (x) is oddg = ;
fx j jI(a) \ I (x)j is odd and W (x) is eveng = :
Thus, in this case, f (x) 8 f (x 8 a) 0.
(iii) Suppose that r 2 (mod 4). In this case, we can prove in the same way as (i) that
fx j f (x) 8 f (x 8 a) = 1g = fx j jI(a) \ I (x)j is eveng:
Hence,
jfx j f (x) 8 f (x 8 a) = 1gj = 2
n0r
XC
r=2
k=0
r 2k
= 2n01 :
(iv) Suppose that r 3 (mod 4). It can be obtained in the same way as (ii) that
fx j f (x) 8 f (x 8 a) = 1g =
fx j jI(a) \ I (x)j and W (x) are eveng [ fx j jI(a) \ I (x)j and W (x) are oddg:
Hence, unless n 3 (mod 4) and a = (1; : : : ; 1), then
r01
r01
d n02r01 e
d n02r01 e
2
2
jfx j f (x) 8 f (x 8 a) = 1gj =
r C2k
n0r C2j +
r C2k+1
n0r C2j
X
X
X
X
k=0
n01 ;
j =0
k=0
j =0
= 2
10
and f (x) 8 f (x 8 a) is balanced. If n 3 (mod 4) and a = (1; : : : ; 1), then
fx j jI(a) \ I (x)j is even and W (x) is oddg = fx j W (x) is oddg
fx j jI(a) \ I (x)j is odd and W (x) is eveng = fx j W (x) is eveng:
Thus, in this case, f (x) 8 f (x 8 a) 1.
For the case where f = SnR1 [R2 :
(v) Suppose that r 0 (mod 4). It is obtained that
fx j f (x) 8 f (x 8 a) = 1g = fx j jI(a) \ I (x)j is oddg:
Hence, f (x) 8 f (x 8 a) is balanced.
(vi) Suppose that r 1 (mod 4). It can be obtained that
fx j f (x) 8 f (x 8 a) = 1g =
fx j jI(a) \ I (x)j and W (x) are eveng [ fx j jI(a) \ I (x)j and W (x) are oddg:
Hence, unless n 1 (mod 4) and a = (1; : : : ; 1), then f (x)8 f (x 8 a) is balanced. If n 1 (mod 4)
and a = (1; : : : ; 1), then f (x) 8 f (x 8 a) 1.
(vii) Suppose that r 2 (mod 4). In this case, we can prove in the same way as (i) that
fx j f (x) 8 f (x 8 a) = 1g = fx j jI(a) \ I (x)j is eveng:
Hence, f (x) 8 f (x 8 a) is balanced.
(viii) Suppose that r 3 (mod 4). It is obtained that
fx j f (x) 8 f (x 8 a) = 1g =
fx j jI(a) \ I (x)j is even and W (x) is oddg [ fx j jI(a) \ I (x)j is odd and W (x) is eveng:
Hence, unless n 3 (mod 4) and a = (1; : : : ; 1), then f (x)8 f (x 8 a) is balanced. If n 3 (mod 4)
and a = (1; : : : ; 1), then f (x) 8 f (x 8 a) 0.
2
From the above two lemmas, the following theorem is obtained.
Theorem 4 Let n 2.
If n is even, then, for every k such that 2 k n,
PCn(k) \ Sn = ff 2 Sn j f (w+2) = f (w) for every w such that 0 w n 0 2g:
If n is odd, then, for every k such that 2 k n 0 1,
PCn(k) \ Sn = ff 2 Sn j f (w+2) = f (w) for every w such that 0 w n 0 2g:
2
The number of symmetric Boolean functions with n variables satisfying the PC of degree more than
1 is 4 for n 4.
11
Theorem 5 Let n 2 be even and f 2 Sn. f 2 PCn(1) if, for every w such that 0 w n=2 0 1,
or
f (w+1) = f (w)
and f (n0w) = f (n0w01) ;
f (w+1) = f (w)
and f (n0w) = f (n0w01) :
(Proof) f (x1; : : : ; xn01; xn) 8 f (x1; : : : ; xn01 ; xn 8 1) is balanced if and only if f (x1; : : : ; xn01; 0) 8
f (x1 ; : : : ; xn01 ; 1) is balanced. Suppose that f (w+1) = f (w) and f (n0w) = f (n0w01) , or f (w+1) = f (w)
and f (n0w) = f (n0w01) . Then, for every k such that 0 k n=2 0 1,
jfhxin01 j f (hxin01 ; 0) 8 f (hxin01; 1) = 1, and W (hxin01) = k or W (hxin01) = n 0 1 0 kgj
= n01 Ck :
Thus,
jfhxin01 j f (hxin01; 0) 8 f (hxin01; 1) = 1gj =
X
n=201
k=0
C = 2n02:
n01 k
This implies that f (x1; : : : ; xn01; xn) 8 f (x1; : : : ; xn01; xn 8 1) is balanced.
It can be proved in the same way that f (x1; : : : ; xn) 8 f (x1; : : : ; xi01; xi; xi+1; : : : ; xn) is balanced
for every i such that 1 i n 0 1.
2
From the above theorem, it follows that jPCn(1) \ Snj 2n=2+1 for every even n 2.
Corollary 3 For every even n 4, PCn(1) \ Sn 6= PCn(2) \ Sn = 1 1 1 = PCn(n) \ Sn.
2
5 Self-Duality
Self-duality of Boolean functions satisfying the PC is discussed in this section. First, two lemmas are
presented on the properties of self-dual Boolean functions.
Lemma 7 If f 2 Dn, then
0
if W (!) is even
F^ (! ) =
^
2F0(h!in01) if W (!) is odd,
where F^0(h!in01) =
f^(hxin01 ; 0)(01)h!in01 1hxin01 .
(
X
hxin01
X
X f^(hxi ; 0)(01) 0
X0 f^(hxi ; 0)(01) 0
X0 f^(hxi ; 0)(01) 0
X0 f^(hxi ; 0)(01) 0
8>< 00
X
2
>: 0 f^(hxi ; 0)(01)
(Proof) Since f (x1; : : : ; xn) = 18f (18x1; : : : ; 18xn), f (x1 ; : : : ; xn01; 1) = 18f (18x1; : : : ; 18xn01; 0).
F^ (! ) =
f^(x)(01)!1x
=
=
=
=
=
x
hxin
hxin
hxin
hxin
X f^(hxi ; 1)(01) 0 0
X0 f^(1 8 x ; : : : ; 1 8 x ; 0)(01)
0 0
X0 f^(hyi ; 0)(01)
0
0 0
0
X
0 0
0
f^(hy i ; 0)(01) 0
h!in 1 1hxin01 +
n01
1
h!in 1 1hxin
n01
1
h!in 1 1hxin
n01
1
h!in 1 1hxin
n01
hxin
n01
1
1
1
hyin
n01
1
1
hyin01
h!in01 1hxin01
1
h!in 1 1hxin 1 8!n
1
1
1
hxin
hxin
n01
n01
n01
h! in01 1hxin01 8!n
!1 (18y1 )81118!n 1 (18yn01 )8!n
h!in 1 1hyin 1 8(!1 81118!n )
if W (!) is even
if W (!) is odd.
2
12
Lemma 8 Let f 2 Dn. Then,
Cf (a) =
(Proof)
( 2C
(
)
f jxn =0 a1 ; : : : ; an01
Cf jxn =0 a1 ; : : : ; an01
02
( 81
X F^ (!)(01)
0
1 @ X F^ (h!i ; 0)(01)
Cf (a) =
1
2n
F^ (h! in01
! 1a
2
!
= 2n
h!in01
From Lemma 7,
2
n01
(0
; 0) =
2F^ (h!i
( 2F^ (h!i
F^ (h! in01 ; 1) =
Thus,
Cf (hain01 ; 0)
And,
Cf (hain01 ; 1)
if an = 0
8 1) if an = 1.
0
X F^ (h!i
0 +
h!in01 1hain
2
1
h!in01
0
if W (h!in01 ) is even
n01 ) if W (h! in01 ) is odd,
0
n01
n01 ;
1)(01)h!in011hain01 8an
1
A:
) if W (h!in01 ) is even
if W (h!in01 ) is odd.
X
X
X
X
X
F^ 2 (h! in01 ; 0) + F^ 2 (h!in01 ; 1) (01)h!in01 1hain01
= 21n
h! in01
1
= 2n02
F^02 (h! in01 )(01)h!in011hain01
h! in01
= 2Cf jxn =0 (a1; : : : ; an01):
= 21n
F^ 2 (h! in01 ; 0) 0 F^ 2 (h!in01 ; 1) (01)h!in01 1hain01
h! in01
1
F^02 (h! in01 )(01)h!in011hain01 8(!1 81118!n0181)
= 2n02
h! in01
= 0 2n102
F^02 (h!in01 )(01)!1 (a1 81)81118!n01(an0181)
h!in01
= 02Cf jxn =0 (a1 8 1; : : : ; an01 8 1):
2
The following results show that there exist self-dual Boolean functions satisfying the PC. The
maximum degree of the PC of self-dual Boolean functions with an odd number of variables, however,
is dierent from that of self-dual Boolean functions with an even number of variables.
First, Boolean functions with an odd number of variables are discussed. The following proposition
gives a necessary and sucient condition for Boolean functions with an odd number of variables
satisfying the PC of maximum degree.
Proposition 8 Let n 3 be odd and f 2 Bn. f 2 PCn(n 0 1) if and only if
n+1
^F (!) = 0 n+1 if W (!) is even or F^ (!) = 2 2 if W (!) is even
2 2 if W (!) is odd
0
if W (!) is odd.
2
13
(
(
It is shown in [HI95a], for every(n0odd
n 3, that the number of Boolean functions in PCn (n 0 1) is
1)=2 (n01)=2
2
2jPCn01(n 0 1)j, which is (2
2
!)[Rue91], and that, for the half of them, F^ (!) = 0 for
every ! such that W (!) is even.
Theorem 6 Let n 3 be odd and f 2 Bn. Then, f 2 PCn(n 0 1) \ Dn if and only if
F^(!) = ( 0
2
n+1
2
if W (!) is even
if W (!) is odd.
(Proof) From Lemma 7 and Proposition 8, it is clear that
0 n+1 if W (!) is even
F^ (!) =
2 2 if W (!) is odd
if f 2 PCn(n 0 1) \ Dn.
If f 2 Bn and
0 n+1 if W (!) is even
F^ (!) =
2 2 if W (!) is odd
then, f 2 PCn(n 0 1) and
1 F^ 2(!)(01)!1 81118!n = 2
Cf (1; : : : ; 1) = n
(01)!181118!n = 02n:
2 !
!;W (! ) is odd
(
(
X
X
Thus, from Proposition 7, f 2 Dn.
2
Next, Boolean functions with an even number of variables is discussed. The following theorem
indicates that, for every even n 2, the degree of the PC of self-dual Boolean functions with n
variables is at most n=2 0 1 and that there really exist self-dual Boolean functions with n variables
satisfying the PC of degree n=2 0 1.
Corollary 4 Let n 3 be odd. PCn(n 0 1) \ Dn = PCn(n 0 1) \ ff 2 Bn j f is balancedg.
2
Theorem 7 Let n 2 be even. Then,
1. PCn(n=2) \ Dn = ,
2. PCn(n=2 0 1) \ Dn 6= .
(Proof) 1) Suppose that f 2 Dn. For f jxn =0 2 Bn01, Cf jxn =0 (0; : : : ; 0) 6= 0. Since f jxn =0 does not
satisfy the PC with respect to at least one element (a1; : : : ; an01 ) 2 Vn01, Cf jxn =0 (a1; : : : ; an01) 6= 0.
Thus, from Lemma 8, Cf (0; : : : ; 0) 6= 0, Cf (1; : : : ; 1) 6= 0, and Cf (a1; : : : ; an01; 0) 6= 0, Cf (a1 8
1; : : : ; an01 8 1; 1) 6= 0, Let the Hamming weight of (a1; : : : ; an01 ) is k. Then, the Hamming weights
of (a1; : : : ; an01 ; 0) and (a1 81; : : : ; an01 81; 1) are k and n 0 k, respectively. Since 1min
maxfk; n 0
kn01
kg = n=2, f satises the PC of degree at most n=2 0 1.
2) Let b = (b1; : : : ; bn01 ) 2 f0; 1gn01 and bi = 1 if 1 i n=2 and bi = 0 if n=2 + 1 i n 0 1. Let
f 2 Dn and f jxn =0 satisfy the PC with respect to Vn01 0fbg. Then, from Lemma 8, Cf (a) 6= 0 if and
only if a 2 f(0; : : : ; 0); (1; : : : ; 1); (b1; : : : ; bn01; 0); (b1 8 1; : : : ; bn01 8 1; 1)g. Thus, f 2 PCn(n=2 0 1).
2
14
6 Conclusion
This paper has discussed the relationships between the PC and each one of the unateness, the symmetry and the self-duality.
It has been presented that Boolean functions satisfying the PC of degree 2 are not unate in any
one of its variables. This implies that the PC and the unateness are not compatible. The PC and the
symmetry are not compatible, either, in the sense that there exist only four symmetric functions with
a xed number of variables that satisfy the PC of degree 2. The presented results on the unateness
and the symmetry of Boolean functions satisfying the PC also show the dierence between the PC
of degree at most one and the PC of degree at least 2.
Relationships between the PC and the self-duality in this paper show a dierent behavior between
Boolean functions with an even number of variables and those with an odd number of variables. There
exist Boolean functions with an odd number of variables that satisfy the PC of maximum degree,
while the degree of the PC of self-dual Boolean functions with an even number of variables is less
than one half of the number of the variables.
One of the future works is to investigate the relationships between other nonlinearity criteria than
the PC and each one of the unateness, the symmetry and the self-duality.
References
[HI95a] Hirose, S. and Ikeda, K., \Propagation characteristics of Boolean functions and their balancedness," IEICE Trans. Fundamentals, vol. E78{A, no. 1, pp. 11{18, 1995.
[HI95b] Hirose, S. and Ikeda, K., \Relationships among nonlinearity criteria of Boolean functions,"
IEICE Trans. Fundamentals, vol. E78{A, no. 2, pp. 235{243, 1995.
[Koh78] Kohavi, Z., Switching and nite automata theory, 2nd edition, Tata McGraw-Hill, 1978.
[MS90] W. Meier, O. Staelbach: \Nonlinearity criteria for cryptographic functions," Proc. EUROCRYPT'89, LNCS no. 434, pp. 549{562 (1990).
[PLLGV91] B. Preneel, W. V. Leekwijk, L. V. Linden, R. Govaerts, J. Vandewalle: \Propagation characteristics of Boolean functions," Proc. EUROCRYPT'90, LNCS no. 473, pp. 161{173
(1991).
[PGV92] B. Preneel, R. Govaerts, J. Vandewalle: \Boolean functions satisfying higher order propagation criteria," Proc. EUROCRYPT'91, LNCS no. 547, pp. 141{152 (1992).
[Rot76] O. S. Rothaus: \On `bent' functions," J. Combinatorial Theo. (A), 20, pp. 300{305 (1976).
[Rue91] R. A. Rueppel: \Stream ciphers," in Contemporary cryptology: The science of information
integrity, G. Simmons, ed., IEEE Press, pp. 65{134 (1991).
[SZZ93] J. Seberry, X. M. Zhang, Y. Zheng: \Highly nonlinear balanced Boolean functions satisfying
high degree propagation criterion," Tech. Rep. The Univ. Wollongong, tr{93{1 (1993).
[SZZ94] J. Seberry, X. M. Zhang, Y. Zheng: \Characterizing the Structures of Highly Nonlinear
Cryptographic Functions," Tech. Rep. The Univ. Wollongong, tr{94{15 (1994).
[WT86] A. F. Webster, S. E. Tavares: \On the design of S-boxes," Proc. CRYPTO'85, LNCS no.
218, pp. 523{534 (1986).
15

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz